fix(cilium): explicitly assign appProtocol to gRPC services

vehagn · vehagn · commit 50dedbaee295 · 2025-10-25T15:17:56.000+02:00
This fixes NetBird agents not connecting to the manager ./caller_not_available:0: 2025/10/12 18:16:42 WARNING: [core] [Channel #98 SubChannel #99]grpc: addrConn.createTransport failed to connect to { Addr: "netbird.stonegarden.dev:443", ServerName: "netbird.stonegarden.dev:443", BalancerAttributes: { "<%!p(pickfirstleaf.managedByPickfirstKeyType={})>": "<%!p(bool=true)>" } }. Err: connection error: desc = "transport: authentication handshake failed: credentials: cannot check peer: missing selected ALPN property. If you upgraded from a grpc-go version earlier than 1.67, your TLS connections may have stopped working due to ALPN enforcement. For more details, see: grpc/grpc-go#434" Related to cilium/cilium#39484 Signed-off-by: Vegard Hagen <vegard@stonegarden.dev>
diff --git a/k8s/infra/network/cilium/values.yaml b/k8s/infra/network/cilium/values.yaml
@@ -76,8 +76,8 @@ loadBalancer:
 
 gatewayAPI:
   enabled: true
-#  enableAlpn: true
-#  enableAppProtocol: true
+  enableAlpn: true
+  enableAppProtocol: true
 
 envoy:
   prometheus:
diff --git a/k8s/infra/vpn/netbird/management/svc.yaml b/k8s/infra/vpn/netbird/management/svc.yaml
@@ -10,4 +10,5 @@ spec:
   ports:
     - name: http
       port: 80
+      appProtocol: kubernetes.io/h2c
       targetPort: http
diff --git a/k8s/infra/vpn/netbird/signal/svc.yaml b/k8s/infra/vpn/netbird/signal/svc.yaml
@@ -10,4 +10,5 @@ spec:
   ports:
     - name: http
       port: 80
+      appProtocol: kubernetes.io/h2c
       targetPort: http
